Botnet 0.6 plugin for Spam Assassin availabile

(I had a bout of insomnia last night, and got more done than
I had
pre-announced yesterday...)

The next version of the Botnet plugin for Spam Assassin is
ready.  The
install instructions are in the Botnet.txt file, and in the
INSTALL file.

For those who don't know what Botnet is, it's a plugin which
tries to
identify whether or not the message has been submitted by a
botnet/spam-zombie type host by looking at its DNS
characteristics (no
reverse DNS, reverse DNS that doesn't resolve, or doesn't
resolve back
to the relay's IP, or reverse DNS that contains things that
look like an
ISP's client address).  The places I've been using it, and
the people I
hear about who are using it, have seen a high degree of
success.

It can be downloaded from:

  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

As usual, feedback, statistics, bug reports, feature
suggestions, are
all welcome.

NOTE: This will be the last version I announce outside of
the SA users
mailing list.  I don't want to wear out the patience of the
other list
owners.  usersspamassassin.apache.org is where I'll make
all further
release announcements.

What's new in 0.6:

1) IP in Hostname bug fix (the same IP address octet could
be matched
twice.. which was a problem if the octet was "1",
and the hostname had a
sub-string like "101" in it)

2) pass_domains, clientwords, and serverwords weren't
insensitive checks

3) typo fixed in botnet.txt

4) moved to Net:NS
(finally; and it's going to be needed for To Do
item #3)

5) perl package is now named
Mail::SpamAssassin::Plugin::Botnet

6) because clientwords and serverwords are meant to be
_words_, they are
now wrapped by (b|d) (both before and after the
word/expression).
This is to help avoid false positives where a clientword
might have been
a substring of a larger word that shouldn't have triggered
the check
(similarly for serverwords).

7) similarly, pass_domains now have a leading (.|A) added
to them IF
they don't already have . or A in front (but it will be
added if the
expression starts with "." -- since this is a
regular expression, that
is assumed to mean any single character, so be careful).

8) added debug output for parse_config

9) added "mta" and "relay" to
serverwords (used by classmates.com and/or
reunion.com)

10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so,
covers adsl,
sdsl, ddsl, and dyndsl ... I've seen all of those except
ddsl)

11) added res(net|ident(ial)?)? to clientwords (rr.com
supposedly uses
".res." in residential/customer IP hostnames, and
".resnet." is common
at universities for dorm IP addresses)

12) contemplating adding cpe and cust(omer)? to the
controversial
clientwords (I think cpe = customer (presence/provided/?)
equipment)

----

To Do before 1.0:

1) prepend __ to sub-rules, only BOTNET proper should not
have that

2) separate the SA routines from the core algorithms, so
that the botnet
checks can be used in other perl programs.  Include a script
that takes
an IP addr and answers where/how it passed/failed.

3) try to do a lookup on the sender's email address domain;
if it points
back to the relay's IP address (A record, or one of the MX
records),
then that's less likely to be a botnet.  Use this like
BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT.  What
about SPF,
too? (I think that was a suggestion in one of the alternate
meta rules)

4) credits for help I've gotten from other people

5) get listed in the wiki

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in
the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpengu
in.com
MIMEDefang mailing list MIMEDefanglists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mime
defang

Botnet 0.6 plugin for Spam Assassin availabile

Thread: Botnet 0.6 plugin for Spam Assassin availabile